Wireshark-bugs: [Wireshark-bugs] [Bug 8197] PER dissector crash
Date: Wed, 16 Jan 2013 03:37:10 +0000
Jeff Morriss changed bug 8197
What | Removed | Added |
---|---|---|
CC | [email protected] |
Comment # 9
on bug 8197
from Jeff Morriss
I get the crash in Fedora 17. Valgrind complains thus: ~~~ ==1239== Command: /home/morriss/Projects/wireshark/source2/.libs/lt-tshark -Vx -nr /tmp/fuzz-8197.pcap ==1239== ==1239== Invalid read of size 1 ==1239== at 0x4104D5: print_hex_data_buffer (print.c:997) ==1239== by 0x411E48: print_hex_data (print.c:915) ==1239== by 0x4197B6: print_packet (tshark.c:3589) ==1239== by 0x41AFAD: process_packet (tshark.c:3198) ==1239== by 0x40DE9A: main (tshark.c:2978) ==1239== Address 0x9216800 is 0 bytes inside a block of size 1 free'd ==1239== at 0x4A07786: free (vg_replace_malloc.c:446) ==1239== by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4) ==1239== by 0x613ECDB: emem_free_all (emem.c:1239) ==1239== by 0x6141828: epan_dissect_run_with_taps (epan.c:218) ==1239== by 0x41AEAC: process_packet (tshark.c:3181) ==1239== by 0x40DE9A: main (tshark.c:2978) ==1239== ==1239== Invalid read of size 8 ==1239== at 0x613F44D: sl_alloc (string3.h:52) ==1239== by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610) ==1239== by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994) ==1239== by 0x614243F: expert_add_info_format (expert.c:192) ==1239== by 0x62451F1: dissect_ber_set (packet-ber.c:2883) ==1239== by 0x662EED1: dissect_pres (pres.cnf:321) ==1239== by 0x6149067: call_dissector_through_handle (packet.c:458) ==1239== by 0x614990C: call_dissector_work (packet.c:549) ==1239== by 0x614B680: call_dissector_with_data (packet.c:2076) ==1239== by 0x66DE71A: call_pres_dissector (packet-ses.c:350) ==1239== by 0x66DF5D2: dissect_spdu (packet-ses.c:993) ==1239== by 0x66DFE5D: dissect_ses (packet-ses.c:1219) ==1239== Address 0x61746d2008faccf0 is not stack'd, malloc'd or (recently) free'd ==1239== ==1239== ==1239== Process terminating with default action of signal 11 (SIGSEGV) ==1239== General Protection Fault ==1239== at 0x613F44D: sl_alloc (string3.h:52) ==1239== by 0x610EF4F: proto_tree_set_representation_value (proto.c:3610) ==1239== by 0x615FB9D: proto_tree_add_uint_format_value (proto.c:2994) ==1239== by 0x614243F: expert_add_info_format (expert.c:192) ==1239== by 0x62451F1: dissect_ber_set (packet-ber.c:2883) ==1239== by 0x662EED1: dissect_pres (pres.cnf:321) ==1239== by 0x6149067: call_dissector_through_handle (packet.c:458) ==1239== by 0x614990C: call_dissector_work (packet.c:549) ==1239== by 0x614B680: call_dissector_with_data (packet.c:2076) ==1239== by 0x66DE71A: call_pres_dissector (packet-ses.c:350) ==1239== by 0x66DF5D2: dissect_spdu (packet-ses.c:993) ==1239== by 0x66DFE5D: dissect_ses (packet-ses.c:1219) ~~~ The first ("invalid read of size 1") is because tvb_new_octet_aligned() is returning an ep_alloc'd buffer which is then being added as a data source (add_new_data_source()). I still need to go back and read about why ep_ allocations started disappearing after dissection is complete but before we're done displaying what we've dissected. Anyway, this isn't causing the crash. After adding debugability to the slab allocator in r47710, Valgrind now says this is the cause of the crash; I'm now out of time to actually investigate the problem: ~~~ ==5296== Invalid read of size 8 ==5296== at 0x615EA7D: proto_item_append_text (proto.c:4097) ==5296== by 0x6AB56BF: dissect_p1_MTAName (p1.cnf:691) ==5296== by 0x62408FB: dissect_ber_choice (packet-ber.c:3398) ==5296== by 0x6AB19AF: dissect_p1_ObjectName (p1.cnf:1203) ==5296== by 0x6244ECE: dissect_ber_set (packet-ber.c:2850) ==5296== by 0x6AB9421: dissect_MTSBindResult_PDU (p1.cnf:1290) ==5296== by 0x69253A9: call_ros_oid_callback (packet-ros-template.c:196) ==5296== by 0x62408FB: dissect_ber_choice (packet-ber.c:3398) ==5296== by 0x6925BBF: dissect_ros_ROS (ros.cnf:196) ==5296== by 0x6925CA7: dissect_ros (packet-ros-template.c:429) ==5296== by 0x6149097: call_dissector_through_handle (packet.c:458) ==5296== by 0x614993C: call_dissector_work (packet.c:549) ==5296== by 0x614A46E: dissector_try_string (packet.c:1228) ==5296== by 0x6247781: call_ber_oid_callback (packet-ber.c:991) ==5296== by 0x62408FB: dissect_ber_choice (packet-ber.c:3398) ==5296== by 0x68305EF: dissect_acse_T_encoding (acse.cnf:126) ==5296== by 0x6246391: dissect_ber_sequence (packet-ber.c:2221) ==5296== by 0x6830AEF: dissect_acse_EXTERNALt_U (acse.cnf:144) ==5296== by 0x623FA97: dissect_ber_tagged_type (packet-ber.c:585) ==5296== by 0x683072D: dissect_acse_EXTERNALt (acse.cnf:154) ==5296== by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186) ==5296== by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445) ==5296== by 0x6830B2F: dissect_acse_Association_data (acse.cnf:286) ==5296== by 0x6246391: dissect_ber_sequence (packet-ber.c:2221) ==5296== by 0x68309EF: dissect_acse_AARE_apdu_U (acse.cnf:249) ==5296== by 0x623FADA: dissect_ber_tagged_type (packet-ber.c:560) ==5296== by 0x6831555: dissect_acse_AARE_apdu (acse.cnf:101) ==5296== by 0x62408FB: dissect_ber_choice (packet-ber.c:3398) ==5296== by 0x6831B90: dissect_acse (acse.cnf:130) ==5296== by 0x6149097: call_dissector_through_handle (packet.c:458) ==5296== by 0x614993C: call_dissector_work (packet.c:549) ==5296== by 0x614A46E: dissector_try_string (packet.c:1228) ==5296== by 0x6247781: call_ber_oid_callback (packet-ber.c:991) ==5296== by 0x662F203: dissect_pres_T_single_ASN1_type (pres.cnf:44) ==5296== by 0x62408FB: dissect_ber_choice (packet-ber.c:3398) ==5296== by 0x662E23F: dissect_pres_T_presentation_data_values (pres.cnf:101) ==5296== by 0x6246391: dissect_ber_sequence (packet-ber.c:2221) ==5296== by 0x662DEFF: dissect_pres_PDV_list (pres.cnf:118) ==5296== by 0x624372E: dissect_ber_sq_of (packet-ber.c:4186) ==5296== by 0x6243E4D: dissect_ber_sequence_of (packet-ber.c:4445) ==5296== Address 0x155a6ae0 is 80 bytes inside a block of size 96 free'd ==5296== at 0x4A07786: free (vg_replace_malloc.c:446) ==5296== by 0x35ACC4D50E: g_free (in /usr/lib64/libglib-2.0.so.0.3200.4) ==5296== by 0x35ACC61E5E: g_slice_free1 (in /usr/lib64/libglib-2.0.so.0.3200.4) ==5296== by 0x61565E1: proto_tree_free_node (proto.c:593) ==5296== by 0x6156581: proto_tree_children_foreach (proto.c:532) ==5296== by 0x61565AA: proto_tree_free_node (proto.c:590) ==5296== by 0x6156581: proto_tree_children_foreach (proto.c:532) ==5296== by 0x61565AA: proto_tree_free_node (proto.c:590) ==5296== by 0x6156581: proto_tree_children_foreach (proto.c:532) ==5296== by 0x61565AA: proto_tree_free_node (proto.c:590) ==5296== by 0x6156581: proto_tree_children_foreach (proto.c:532) ==5296== by 0x61565AA: proto_tree_free_node (proto.c:590) ==5296== by 0x6156581: proto_tree_children_foreach (proto.c:532) ==5296== by 0x615661A: proto_tree_free (proto.c:605) ==5296== by 0x61418B3: epan_dissect_cleanup (epan.c:236) ==5296== by 0x41AF08: process_packet (tshark.c:3236) ==5296== by 0x40DE9A: main (tshark.c:2978) ~~~
You are receiving this mail because:
- You are watching all bug changes.
- References:
- [Wireshark-bugs] [Bug 8197] New: PER dissector crash
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 8197] New: PER dissector crash
- Prev by Date: [Wireshark-bugs] [Bug 8215] New: Some ERF types are added to the tree in the wrong place
- Next by Date: [Wireshark-bugs] [Bug 8211] Version Number in EtherIP dissector
- Previous by thread: [Wireshark-bugs] [Bug 8197] PER dissector crash
- Next by thread: [Wireshark-bugs] [Bug 8197] PER dissector crash
- Index(es):